As a proud sponsor of the OWASP Mobile Security Project and the Global AppSec conference, NowSecure researchers helped develop and maintain the Radare2 Pay v1.0 Android crack-me app featured in the OWASP Mobile Security Testing Guide (MSTG). Intended to be similar to popular mobile payment applications, the Radare2 Pay app is difficult to crack. It features layers and layers of obfuscation and protection and anti-rooting technology in order to delay attacks.
Before joining the NowSecure research team this year, Grant Douglas worked as a mobile security consultant and has hundreds of mobile app pen tests under his belt. In this Q&A discussion, he shares insight about the differences between an attack and builder mindset, his favorite mobile appsec tools and technologies and his passion for CTF competitions.
NowSecure Mobile Security Researcher Dawn Isabel has been an avid contributor to bug bounties over the years and has earned many accolades. Before joining the expert research team at NowSecure, Isabel amassed well-rounded experience at IOActive, Hewlett Packard Enterprise, the University of Michigan and Ford Motor Company. We recently spoke with
Isabel about testing the security of iOS and Apple Watch apps, the bug bounty community, and the tools she uses most.
NowSecure announces the release of NowSecure Workstation 6.0. The turnkey hardware and software kit that empowers analysts to quickly conduct deep mobile application security assessments of Android and iOS apps and generate customized reports with actionable results users can trust. Traditional mobile app penetration testing can consume at least two weeks of manual effort and requires ample expertise and an abundance of open-source tools. NowSecure Workstation reduces testing time from weeks to mere hours, driving dramatic 10x productivity gains and scalability.
Reverse engineering refers to the process of taking something apart to see how it works. The NowSecure Services team frequently performs reverse engineering on mobile apps to uncover security vulnerabilities and privacy flaws. This tutorial will help you master the basics of analyzing an Android app and knowing what to look for.
Although we recommend periodic in-depth pen tests for high-risk mobile apps that run business-critical processes or access sensitive information, this practice doesn’t scale well for DevOps teams. Mobile app pen testing requires intense human labor that simply can’t keep pace with the volume, velocity and frequency of DevOps releases. Many organizations can benefit from incorporating automated mobile appsec testing in the mobile DevSecOps toolchain to speed the delivery of secure mobile apps.